build[SP-7277]: Bump bouncycastle version to 1.84

[befc]

This PR removes the bouncycastle version property override from the Apache driver pom.xml to allow it to default to the parent pom resolution.

[Copilot]

Pull request overview

This PR updates the Apache shim driver’s Maven configuration to inherit the Bouncy Castle version from the parent POM (per SP-7277), by removing the module-level override so the build uses the centrally managed version (intended to be 1.84).

Changes:

• Removed the bouncycastle.version property override (1.78) from the Apache driver POM.
• Left the dependency version reference as ${bouncycastle.version}, allowing parent POM resolution to control the actual Bouncy Castle version.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hitachivantarasonarqube]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage (72.20% Estimated after merge)
• No data about duplications (1.20% Estimated after merge)

Project ID: org.pentaho:pentaho-hadoop-shims

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42584
Critical	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42581
High	io.netty:netty-codec-http2:4.1.128.Final	io.netty:netty-codec-http2 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42587
High	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42587
High	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42585
High	io.netty:netty-codec:4.1.128.Final	io.netty:netty-codec 4.1.128.Final	[4.1.133.Final]	CVE-2026-42583
High	io.netty:netty-codec-http2:4.1.128.Final	io.netty:netty-codec-http2 4.1.128.Final	[4.1.132.Final] [4.2.11.Final]	CVE-2026-33871
High	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.132.Final] [4.2.10.Final]	CVE-2026-33870
Medium	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42580
Medium	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-41417
Medium	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.129.Final] [4.2.8.Final]	CVE-2025-67735

🔬 Research Details

[ CVE-2026-42584 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42581 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42587 ] io.netty:netty-codec-http2 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42587 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42585 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42583 ] io.netty:netty-codec 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-33871 ] io.netty:netty-codec-http2 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

[ CVE-2026-33870 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

[ CVE-2026-42580 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-41417 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri(). The constructors reject CRLF and whitespace characters that would break the start-line, but setUri() does not apply the same validation. HttpRequestEncoder and RtspEncoder then write the URI into the request line verbatim. If attacker-controlled input reaches setUri(), this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

[ CVE-2025-67735 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

❌ Build failed in 15m 39s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl shims/apache/driver

---

👌 All tests passed!

Tests run: 40, Failures: 0, Skipped: 1    Test Results

---

ℹ️ This is an automatic message